Segfault in `QuantizeDownAndShrinkRange` in TensorFlow
Description
TensorFlow is an open source platform for machine learning. If QuantizeDownAndShrinkRange is given nonscalar inputs for input_min or input_max, it results in a segfault that can be used to trigger a denial of service attack. We have patched the issue in GitHub commit 73ad1815ebcfeb7c051f9c2f7ab5024380ca8613. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
tensorflowPyPI | < 2.7.2 | 2.7.2 |
tensorflowPyPI | >= 2.8.0, < 2.8.1 | 2.8.1 |
tensorflowPyPI | >= 2.9.0, < 2.9.1 | 2.9.1 |
tensorflow-cpuPyPI | < 2.7.2 | 2.7.2 |
tensorflow-cpuPyPI | >= 2.8.0, < 2.8.1 | 2.8.1 |
tensorflow-cpuPyPI | >= 2.9.0, < 2.9.1 | 2.9.1 |
tensorflow-gpuPyPI | < 2.7.2 | 2.7.2 |
tensorflow-gpuPyPI | >= 2.8.0, < 2.8.1 | 2.8.1 |
tensorflow-gpuPyPI | >= 2.9.0, < 2.9.1 | 2.9.1 |
Affected products
1- Range: < 2.7.2
Patches
173ad1815ebcfAdd IsScalar (rank == 0) check to input_min/max tensors for QuantizeDownAndShrinkRangeOp.
3 files changed · +32 −4
tensorflow/core/kernels/quantize_down_and_shrink_range.cc+14 −2 modified@@ -40,8 +40,20 @@ class QuantizeDownAndShrinkRangeOp : public OpKernel { void Compute(OpKernelContext* ctx) override { const Tensor& input = ctx->input(0); - const float input_min_float = ctx->input(1).flat<float>()(0); - const float input_max_float = ctx->input(2).flat<float>()(0); + const Tensor& input_min = ctx->input(1); + const Tensor& input_max = ctx->input(2); + + OP_REQUIRES( + ctx, TensorShapeUtils::IsScalar(input_min.shape()), + errors::InvalidArgument("`input_min` must be rank 0 but is rank ", + input_min.dims())); + OP_REQUIRES( + ctx, TensorShapeUtils::IsScalar(input_max.shape()), + errors::InvalidArgument("`input_max` must be rank 0 but is rank ", + input_max.dims())); + + const float input_min_float = input_min.scalar<float>()(); + const float input_max_float = input_max.scalar<float>()(); Tensor* output = nullptr; OP_REQUIRES_OK(ctx, ctx->allocate_output(0, input.shape(), &output)); Tensor* output_min = nullptr;
tensorflow/core/kernels/quantize_down_and_shrink_range_op_test.cc+2 −2 modified@@ -53,8 +53,8 @@ TEST_F(QuantizeDownAndShrinkRangeTest, HandCrafted) { const int value_count = 3; AddInputFromArray<qint32>(TensorShape({value_count}), {-(1 << 23), 0, (1 << 23)}); - AddInputFromArray<float>(TensorShape({1}), {-256.0f}); - AddInputFromArray<float>(TensorShape({1}), {256.0f}); + AddInputFromArray<float>(TensorShape({}), {-256.0f}); + AddInputFromArray<float>(TensorShape({}), {256.0f}); TF_ASSERT_OK(RunOpKernel()); Tensor expected(allocator(), DT_QUINT8, TensorShape({value_count})); test::FillValues<quint8>(&expected, {0, 128, 255});
tensorflow/python/kernel_tests/quantization_ops/quantization_ops_test.py+16 −0 modified@@ -261,5 +261,21 @@ def test_invalid_inputs(self): out_type=dtypes.quint8)) +class QuantizeDownAndShrinkRangeOpTest(test_util.TensorFlowTestCase): + + @test_util.run_in_graph_and_eager_modes + def test_invalid_inputs(self): + inputs = constant_op.constant( + np.int32(0), shape=[3, 3, 3, 3], dtype=dtypes.qint32) + + with self.assertRaisesRegex((ValueError, errors.InvalidArgumentError), + "must be rank 0"): + self.evaluate( + math_ops.quantize_down_and_shrink_range(input=inputs, + input_min=[], + input_max=4.0, + out_type=dtypes.quint8)) + + if __name__ == "__main__": googletest.main()
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-vgvh-2pf4-jr2xghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-35974ghsaADVISORY
- github.com/tensorflow/tensorflow/commit/73ad1815ebcfeb7c051f9c2f7ab5024380ca8613ghsax_refsource_MISCWEB
- github.com/tensorflow/tensorflow/releases/tag/v2.10.0ghsaWEB
- github.com/tensorflow/tensorflow/security/advisories/GHSA-vgvh-2pf4-jr2xghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.